Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 192712 - net-misc/nx-2.1.0, nxnode-2.1.0 Multiple issues in XFree86 code
Summary: net-misc/nx-2.1.0, nxnode-2.1.0 Multiple issues in XFree86 code
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/21446/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2007-09-16 18:05 UTC by Robert Buchholz (RETIRED)
Modified: 2007-10-09 22:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-16 18:05:23 UTC
net-misc/nx contains a modified version of XFree86 4.3.0 in the file nx-X11-2.1.0-3.tar.gz. That file contains xfree code from February 2003 that is, by itself, vulnerable to several issues reported since then. I am unaware whether the package was patched for some of the earlier issues, but I verified the code is unpatched for:

* CVE-2007-1003 (Integer overflow in ALLOCATE_LOCAL in the ProcXCMiscGetXIDList function in the XC-MISC extension)
in nx-X11/programs/Xserver/Xext/xcmisc.c

* CVE-2007-1351 (Integer overflow in the bdfReadCharacters function in bdfread.c)
in nx-x11/lib/font/bitmap/bdfread.c

* CVE-2007-1352 (Integer overflow in the FontFileInitTable function)
in nx-x11/lib/font/fontfile/fontdir.c

* CVE-2007-1667 (Multiple integer overflows in (1) the XGetPixel function in ImUtil.c, and (2) XInitImage)
in nx-x11/lib/X11/ImUtil.c

* CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 (Multiple integer overflows in dbe and render extensions)

* CVE-2006-3739 CVE-2006-3740 (Integer overflows in handling CID encoded Type1 fonts)

This code is compiled and statically linked into the nxagent (nx X server) executable. I believe the privilege escalations are not issues here because nxagent is running with user rights. Nevertheless some might be a security problem.

As far as I saw, nx is only used for the GPL NX server "nxserver-freenx" and not for nxserver-freeedition. nx is stable on x86 as per bug 180040.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-16 18:43:05 UTC
nx, what's your advice?
Comment 2 Bernard Cafarelli gentoo-dev 2007-09-16 21:55:45 UTC
net-misc/nxnode's (for the freeedition server) nxagent is built from the same code , so it's vulnerable as well

The 2.x branch (based on xfree) is not maintained anymore upstream, replaced in favor of 3.x (xorg-based and maintained).

So I'd recommend dropping nxnode 2.1* (and nxserver-freeeedition 2.1 that only works with it), and only leave 3.0: this will require x86 stabilization for nxclient-3.0.0-r3 (3.0 version is required by nxnode 3.0), nxnode-3.0.0-r2 and nxserver-freeedition-3.0.0-r2

For freenx, a patch was released to get freenx-0.7 working with a nx-3.0 package. I have to make new nx and nxserver-freenx packages for that, after that we can test (and mark) them stable on x86, and drop the remaining 2.x packages
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2007-09-16 23:10:47 UTC
Setting whiteboard to B2 because the codebase might allow code execution when using a manipulated fonts with the old freetype code. [1] The vulnerabilities quoted above are privilege escalations and I do not think they're an issue here.

[1] http://secunia.com/advisories/21446/

Bernard, thanks for pointing out the dependencies. To sum up, we have two vulnerable packages:
1) net-misc/nx-2.1.0
2) net-misc/nxnode-2.1.0
Comment 4 Bernard Cafarelli gentoo-dev 2007-09-18 10:00:40 UTC
net-misc/nx-3.0.0 and net-misc/nxserver-freenx-0.7.0-r1 (that works with nx3) are in portage now
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2007-09-18 10:23:33 UTC
Thanks a lot, Bernard.

x86, please test and mark stable:
net-misc/nx
net-misc/nxclient
net-misc/nxnode
net-misc/nxserver-freeedition
(all in the latest 3.0.0 versions)

net-misc/nxserver-freenx-0.7.0-r1
Comment 6 Torsten Kaiser 2007-09-18 17:34:54 UTC
I see a new net-misc/nx-3.0.0:
nx-3.0.0.ebuild 1.1   8 hours   voyageur   Version bump to new 3.0.0 branch,...
but nothing in net-misc/nxserver-freenx:
nxserver-freenx-0.6.0.ebuild 1.5   2 months   opfer   stable x86, bug 180040 
nxserver-freenx-0.7.0.ebuild 1.1   5 weeks   voyageur   Version bump 
(from sources.gentoo.org/viewcvs.py)

CVS commit borked? Because the freenx-0.7.0 version in portage still depends on ~net-misc/nx-2.1.0
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2007-09-18 17:49:19 UTC
Seems like the new freenx was committed after the comment here, but it's in CVS now.
Comment 8 Bernard Cafarelli gentoo-dev 2007-09-18 17:58:15 UTC
Sorry for the delay, I missed the enter key after "repoman commit", and only realized it when I did not see it appear on mirrors at the same time as nx-3.0.0. The new version is 0.7.0-r1, not 0.7.0 (a patch is needed to use nx 3.0.0)
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-19 16:59:03 UTC
 * Running NoMachine's update script
NX> 701 Updating: server at: Mi Sep 19 16:44:59 2007.
NX> 701 Autodetected system: gentoo.
NX> 701 Update log is: /usr/NX/var/log/update.
NX> 701 Checking NX server configuration using /usr/NX/etc/server.cfg file.
NX> 701 ERROR: Output: chown: cannot access `/usr/NX/etc/keys/node.localhost.id_dsa': No such file or directory.
NX> 701 ERROR: Cannot set ownership attributes for '/usr/NX/etc/keys/node.localhost.id_dsa' to 'nx:root'.
 *
 * ERROR: net-misc/nxserver-freeedition-3.0.0-r3 failed.
Comment 10 Bernard Cafarelli gentoo-dev 2007-09-19 22:54:34 UTC
/usr/NX/etc/server.cfg is created by the setup script on first installation, at that time the files in /usr/NX/etc/keys are created. So when updating (determined by server.cfg already existing in the ebuild), these files should be there... A leftover incorrect /usr/NX/etc/server.cfg ?
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2007-09-20 12:48:04 UTC
x86 stable, last arch, glsa to be requested, thus changing whiteboard
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-20 13:01:15 UTC
glsa request filed.
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-10-09 22:45:16 UTC
GLSA 200710-09